Each month, there seems to be more news of data breaches, both large and small. As these events continue to increase in frequency, organizations are learning that they must engage, and rapidly, with new security measures. Companies are now turning their attention from password policies to alternative authentication solutions like biometric authentication- without thinking every ramification through.
The biometrics industry is expanding rapidly as tools and technology are incorporated into daily life. It’s hypothesized that the industry could be worth as much as $68.6 billion in just five years’ time. But how do biometrics measure up when it comes to securing sensitive accounts?
There’s a thread of thought that passwords are liable for most wide-scale security issues. In a sense, that’s half true, but it’s not passwords that are failing us- it’s the fact that individuals reuse passwords all the time. Password reuse means that once a user’s credentials have been stolen from one account, or one hacked website, hackers can access many more, important accounts, and gain network access.
It seems logical for organizations to seek other solutions, and there are even stirrings of a password-less revolution. The most praised alternative authentication method has turned out to be biometrics, a field that has expanded dramatically in the last decade. While biometrics are useful for many situations, they are rather romanticized and present their own set of challenges and flaws, just as passwords do.
What is biometric data?
Primarily, ‘biometrics’ refers to physical or behavioral human characteristics that can be used to digitally identify a person, and then grant them access to their devices or data. The most common examples of identity verification through biometric identifiers include fingerprints, facial patterns, and voice recognition. When exploring the possibilities of biometric security use, consider the following:
The Problem with Forever
The fatal flaw with biometric data is that once it has been stolen, it’s irreplaceable. There is no way to request a change to your face structure or to rapidly update your fingerprint so you can get into your email account. If your retinal scan data is stolen from the organization responsible for keeping it safe, there is no way to reverse the damage that theft could cause. It is a true compromise and a very personal one at that.
Because biometric risks are so significant and the theft of biometric data is irreversible, it’s vital that organizations treat identity verification using biometrics with the same respect as password credentials. Fingerprint, retinal scan, and facial pattern data need to be kept as securely as possible. Up front, this might mean using a hashing algorithm and not storing any data in plain text. It’s important to recognize the responsibility of organizations as well as individuals.
Device and Application Limitations
Due to the widespread availability of biometric scanners on smartphones (like Apple’s TouchID and FaceID and the Android equivalents), it may appear that biometric authentication is on its way to being not only common, but ubiquitous. In reality, however, many devices can’t incorporate the biometric reader technology yet, including most desktop and laptop computers.
Similarly, even if a user is employing a fingerprint to access their device, most application sign-ins, including anything through a browser, are still heavily reliant on password or pin use. Until every browser, every device, and every individual is fully compatible, relying solely on alternative authentication through biometrics is impossible.
Potential Exploitation Through Spoofing
Another consideration is that biometrics are essentially on display. For example, our facial information isn’t private; it’s available through photographs, many of which are online and freely available. This leaves individuals open to biometric risks and potential exploitation, as mentioned above. Once that data has been stolen, there’s no possibility of replacement.
Additionally, with the rise of deep-fake technology, it is becoming even easier to spoof photos and videos, meaning that facial recognition data will be less secure. The potential for spoofing also exists for fingerprint scans. Hackers have been able to make functioning scanners that are then ‘fooled’ by replicas–casts and molds–of real user fingerprints.
Since touch ID technology has become more widely available, there are additional layers of defense like liveness detection, but there is still a long path ahead before the risk is truly eradicated.
Altered Appearance and Identity Verification Issues
While not at the forefront of most biometric risks, taking physical change into consideration is a critical part of developing secure authentication. From a kitchen fingertip injury to a dramatic change to facial structure from an accident or surgery, changes to biomarkers do occur.
If biometric authentication is the only method in use, the user would experience a difficult situation, and possibly a traumatizing one if dealing with an injury. A less dramatic issue has arisen recently with some Apple users looking for ways to use facial recognition while wearing a mask
While it’s a tantalizing concept, biometric authentication is a long way from being the cure-all for cybersecurity.
Instead, it should be used carefully and intelligently, in conjunction with other methods of identity verification like passwords and PINs. Taking a layered approach is the easiest way to ensure organizational security. Consider using authentication methods in pairings that complement each other. Don’t rely on just a fingerprint to prevent account takeover, and in the meantime, know that passwords are here to stay.
Read more here for additional commentary.